rebound attack
play

Rebound Attack Florian Mendel Institute for Applied Information - PowerPoint PPT Presentation

Dec 09, 2022 •206 likes •562 views

Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline Motivation 1 2 Whirlpool Hash

  1. Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/

  2. Outline Motivation 1 2 Whirlpool Hash Function Application of the Rebound Attack 3 Summary 4

  3. The Rebound Attack [MRST09] Tool in the differential cryptanalysis of hash functions Invented during the design of Grøstl AES-based designs allow a simple application of the idea Has been applied to a wide range of hash functions Echo, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister, Whirlpool, . . .

  4. The Rebound Attack E bw E in E fw inbound outbound outbound Applies to block cipher and permutation based designs: E = E fw ◦ E in ◦ E bw P = P fw ◦ P in ◦ P bw

  5. The Rebound Attack E bw E in E fw inbound outbound outbound Inbound phase efficient meet-in-the-middle phase in E in using available degrees of freedom Outbound phase probabilistic part in E bw and E fw repeat inbound phase if needed

  6. The Whirlpool Hash Function M 1 M 2 M 3 M t f f f f H ( m ) IV designed by Barretto and Rijmen in 2000 [BR00] evaluated by NESSIE standardized by ISO/IEC 10118-3:2003 iterative, based on the Merkle-Damg˚ ard design principle message block, chaining values, hash size: 512 bit

  7. The Whirlpool Compression Function key schedule H j − 1 SB SC MR AC state update M j H j SB SC MR AK 512-bit hash value and using 512-bit message blocks Block-cipher based design (similar to AES) Miyaguchi-Preneel mode with conservative key schedule

  8. The Whirlpool Round Transformations SubBytes ShiftColumns MixRows AddRoundKey K i S(x) + The state update and the key schedule update an 8 × 8 state S and K of 64 bytes 10 rounds each AES like round transformation r i = AK ◦ MR ◦ SC ◦ SB

  9. Notations Round i C i K SB K SC K MR K i − 1 K i i i i SB SC MR AC S SB S SC S MR S i − 1 S i i i i SB SC MR AK

  10. Collision Attack on Whirlpool key schedule H j − 1 SB SC MR AC state update ∆ M j M j H j SB SC MR AK 1-block collision: fixed H j − 1 (to IV ) f ( M j , H j − 1 ) = f ( M ∗ j , H j − 1 ) , M j � = M ∗ j generic complexity 2 256 ( n = 512)

  11. Collision Attack on 4 Rounds K 0 K 1 K 2 K 3 K 4 constant SB SB SB SB IV SC SC SC SC MR MR MR MR AC AC AC AC S 0 S 3 S 1 S 2 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK Differential trail with minimum number of active S-boxes 81 for any 4-round trail (1 → 8 → 64 → 8) maximum differential probability: ( 2 − 5 ) 81 = 2 − 405 How to find a message pair following the differential trail?

  12. First: Use Truncated Differences S 0 S 1 S 2 S 3 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK byte-wise truncated differences: active / not active we do not mind about actual differences single active byte at input and output is enough probabilistic in MixRows: 2 − 56 for 8 → 1 we can remove many restrictions (more freedom) hopefully less complexity of message search

  13. How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK message modification? inside out? meet in the middle? rebound!

  14. Rebound Attack on 4 Rounds [MRST09] S 0 S 1 S 2 S 3 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK outbound phase inbound phase outbound phase Inbound phase (1) start with differences in round 2 and 3 (2) match-in-the-middle at S-box using values of the state Outbound phase (3) probabilistic propagation in MixRows in round 1 and 4 (4) match one-byte difference of feed-forward

  15. Inbound Phase S SB S SC S MR S 2 2 3 3 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 0d cc 01 0a 70 43 e9 27 e6 ? MR a2 b1 63 11 96 1e 4d 04 SC b9 SB b1 60 20 f4 1e cd bf 10 5a AK MR f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0 differences match differences differences get values get values (1) Start with arbitrary differences in state S MR 3 linearly propagate all differences backward to S SB 3 linearly propagate row-wise forward from S SC to S 2 2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability 2 − xx we get 2 xx solutions for each row

  16. Match-in-the-Middle for Single S-box ∆ a Sbox ∆ b Check for matching input/output differences Using Difference Distribution Table (DDT) Sbox ( x ) ⊕ Sbox ( x ⊕ ∆ a ) = ∆ b

  17. Difference Distribution Table (Whirlpool) in \ out 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 01 0 6 2 0 0 6 2 0 0 0 4 0 0 0 0 0 02 0 0 0 0 0 0 0 2 0 0 0 0 4 0 0 0 03 0 2 2 0 2 2 0 0 2 0 0 0 0 0 0 2 04 0 0 2 2 0 4 0 0 0 2 2 2 2 0 2 0 05 0 0 0 0 0 2 0 2 0 0 0 0 0 0 4 2 06 . 4 0 2 0 0 2 0 0 2 6 2 4 0 2 2 0 . 07 . 0 2 2 0 0 2 0 0 4 0 2 0 2 0 2 0 . 08 . 0 0 0 0 2 2 2 0 0 0 0 2 2 4 4 0 . 09 8 0 0 0 2 4 2 2 0 0 0 0 0 2 0 2 0a 0 0 0 0 2 0 2 0 2 0 2 0 0 0 0 0 0b 8 2 2 2 2 0 0 0 0 2 2 2 2 2 0 4 0c 0 2 2 0 0 0 0 4 0 2 2 0 0 2 4 2 0d 0 2 2 0 0 2 4 4 0 0 2 2 0 0 0 2 0e 4 0 4 2 0 0 0 0 2 0 2 0 4 2 0 0 0f 0 2 0 0 0 2 0 0 0 0 0 0 2 0 2 2 . . . Differences can be connected if there is a non-zero entry in the table

  18. Match-in-the-Middle for Single S-box ∆ a Sbox ∆ b Check for matching input/output differences Using Difference Distribution Table (DDT) Sbox ( x ) ⊕ Sbox ( x ⊕ ∆ a ) = ∆ b Solve equation for all x and count the number of solutions

  19. Difference Distribution Table (Whirlpool) The number of differentials and possible pairs for the Sbox solutions frequency 0 39655 2 20018 4 5043 6 740 8 79 256 1 25880/65025 entries (with ∆ a , ∆ b � = 0 ) in DDT are nonzero we get either 2, 4, 6 or 8 values for each match 25880 65025 · 65280 25880 = 1 . 004 values (right pairs) on average

  20. Match-in-the-Middle for Single S-box ∆ a Sbox ∆ b Check for matching input/output differences Using Difference Distribution Table (DDT) Sbox ( x ) ⊕ Sbox ( x ⊕ ∆ a ) = ∆ b Solve equation for all x and count the number of solutions. ∼ 1 values (right pairs) on average

  21. Inbound Phase S SB S SC S MR S 2 2 3 3 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 0d cc 01 0a 70 43 e9 27 e6 ? MR a2 b1 63 11 96 1e 4d 04 SC b9 SB b1 60 20 f4 1e cd bf 10 5a AK MR f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0 differences match differences differences get values get values (1) Start with arbitrary differences in state S MR 3 linearly propagate all differences backward to S SB 3 linearly propagate row-wise forward from S SC to S 2 2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) we need to solve each row at once: complexity ∼ 2 10 . 6 (average 1)

  22. Inbound Phase S SB S SC S MR S 2 2 3 3 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 0d cc 01 0a 70 43 e9 27 e6 MR a2 b1 63 11 96 1e 4d 04 SC b9 SB b1 60 20 f4 1e cd bf 10 5a AK MR f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0 differences match differences differences get values get values (1) Start with arbitrary differences in state S MR 3 linearly propagate all differences backward to S SB 3 linearly propagate row-wise forward from S SC to S 2 2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) we need to solve each row at once: complexity ∼ 2 10 . 6 (average 1)

  23. Outbound Phase S 0 S 1 S 2 S 3 S 4 SB SB SB SB SC SC SC SC MR MR MR MR AK AK AK AK outbound inbound outbound 2 − 56 average 1 2 − 56 (3) Propagate through MixRows of round 1 and round 4 using truncated differences (active bytes: 8 → 1) probability: 2 − 56 in each direction (4) Match difference in one active byte of feed-forward (2 − 8 ) ⇒ collision for 4 rounds of Whirlpool with complexity 2 120

  24. Extending the Attack to 5 Rounds [LMR + 09] S 0 S 1 S 2 S 3 S 4 S 5 SB SB SB SB SB SC SC SC SC SC MR MR MR MR MR AK AK AK AK AK outbound inbound outbound 2 − 56 2 − 56 average 1 By adding one round in the inbound phase of the attack we can extend the attack to 5 rounds The outbound phase is identical to the attack on 4 rounds probability: 2 − 120 ⇒ Construct 2 120 starting points in the inbound phase with average complexity 1 (but increased memory of 2 64 )

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and Lei Wei 3 1 Ecole Polytechnique Fdrale de Lausanne, Switzerland 2 Institute for Infocomm Research, Singapore 3 Nanyang Technological University,

783 views • 46 slides
Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and Lei Wei 3 1 Ecole Polytechnique Fdrale de Lausanne, Switzerland 2 Institute for Infocomm Research, Singapore 3 Nanyang Technological University,

945 views • 51 slides
The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl Florian Mendel 1 , Christian

The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl Florian Mendel 1 , Christian

Technical University of Denmark - Graz University of Technology The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl Florian Mendel 1 , Christian Rechberger 1 , Martin Schl affer 1 , Sren S. Thomsen 2 1 Institute for Applied

556 views • 23 slides
Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications

Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications

Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline Motivation 1 2 Whirlpool Hash

1.01k views • 72 slides
Applications with Little or No Rebound Digitalization and the Rebound Effect HS2019 Vanessa

Applications with Little or No Rebound Digitalization and the Rebound Effect HS2019 Vanessa

Applications with Little or No Rebound Digitalization and the Rebound Effect HS2019 Vanessa Anas Tschichold Go Goal: No Rebound! after an efficiency improvement to produce one unit, price will not decrease and therefore demand will

786 views • 39 slides
How to Improve Rebound Attacks Mar a Naya-Plasencia FHNW - Switzerland Outline 1 Hash

How to Improve Rebound Attacks Mar a Naya-Plasencia FHNW - Switzerland Outline 1 Hash

How to Improve Rebound Attacks Mar a Naya-Plasencia FHNW - Switzerland Outline 1 Hash Functions and the SHA-3 Competition 2 The Rebound Attack and Motivation 3 Merging Lists with Respect to t Problem 1 Problem 2 4 Results

543 views • 27 slides
Improved Rebound Attack on the Finalist Grstl Jrmy Jean 1 Mara Naya-Plasencia 2 Thomas

Improved Rebound Attack on the Finalist Grstl Jrmy Jean 1 Mara Naya-Plasencia 2 Thomas

Improved Rebound Attack on the Finalist Grstl Jrmy Jean 1 Mara Naya-Plasencia 2 Thomas Peyrin 3 1 cole Normale Suprieure, France 2 University of Versailles, France 3 Nanyang Technological University, Singapore FSE2012 March 19,

1.24k views • 71 slides
The Restaurant Rebound Welcome to the Restaurant Rebound, a bi-weekly report on the industrys

The Restaurant Rebound Welcome to the Restaurant Rebound, a bi-weekly report on the industrys

The Restaurant Rebound Welcome to the Restaurant Rebound, a bi-weekly report on the industrys recovery, providing an analysis of recent OpenTable booking data and the latest news out of the sector. Future issues will also include first-hand

48 views • 3 slides
Rebound Effects Digitalization and the Rebound Effect - Seminar HS2019 Martin Blapp Greenhouse

Rebound Effects Digitalization and the Rebound Effect - Seminar HS2019 Martin Blapp Greenhouse

Rebound Effects Digitalization and the Rebound Effect - Seminar HS2019 Martin Blapp Greenhouse gas abatement potential for Switzerland in 2025 Hilty, University of Zurich Research Report, 2017 2 Historical Perspective The Rebound Effect How

746 views • 41 slides
REBOUND EFFECT FOR PRIVATE TRANSPORT AND ENERGY SERVICES IN THE UK IAEE European Conference,

REBOUND EFFECT FOR PRIVATE TRANSPORT AND ENERGY SERVICES IN THE UK IAEE European Conference,

REBOUND EFFECT FOR PRIVATE TRANSPORT AND ENERGY SERVICES IN THE UK IAEE European Conference, Vienna, September 3-6, 2017 Mona Chitnis (University of Surrey) Roger Fouquet (LSE) Steve Sorrell (University of Sussex) Outline Rebound

300 views • 17 slides
The Walkable Urban Rebound San Antonio at the Tipping Point Alex Steinberger San Antonio

The Walkable Urban Rebound San Antonio at the Tipping Point Alex Steinberger San Antonio

The Walkable Urban Rebound San Antonio at the Tipping Point Alex Steinberger San Antonio Housing Summit Fregonese Associates September 30 th , 2016 The (Walkable) Urban Rebound Walkable urbanism development is now propelling real estate

614 views • 46 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Slides for When Does Eco-Efficiency Rebound or Backfire? An Analytical Model Presentation

Slides for When Does Eco-Efficiency Rebound or Backfire? An Analytical Model Presentation

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/345431176 Slides for When Does Eco-Efficiency Rebound or Backfire? An Analytical Model Presentation November 2020 CITATIONS READ 0

298 views • 27 slides
ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks Yandong Li* 1 Lijun Li* 1 Liqiang Wang 1 Tong Zhang 2 Boqing Gong 3 *Equal Contribution 1 University of Central Florida 2 Hong

440 views • 11 slides
Residential energy efficiency and carbon policies: Costs, rebound and emissions CGE-analysis with

Residential energy efficiency and carbon policies: Costs, rebound and emissions CGE-analysis with

1 Brita Bye, Taran Fhn, Orvika Rosnes: Residential energy efficiency and carbon policies: Costs, rebound and emissions CGE-analysis with bottom-up information 22 nd Annual Conference of EAERE Zrich June 2016 1 Background One of the

544 views • 35 slides
Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know. Current biological diagnostics are very effective at identifying agents, but theyre slow. We already have an infrastruc- ture in place to

233 views • 8 slides
1 in 17 are Asian 1 in 7 are Asian 5.8% 15% Japanese Korean Vietnamese 1 10/10/2017 Contra

1 in 17 are Asian 1 in 7 are Asian 5.8% 15% Japanese Korean Vietnamese 1 10/10/2017 Contra

10/10/2017 58YEAROLD ASIAN MALE WITH SHORTNESS OF BREATH Asian American Health Learning from Diversity Asian = ? What is in your differential? Latha Palaniappan, MD, MS Disease pattern differences?

666 views • 11 slides
FacsXpert July 8 , 2 0 0 4 7 th I nternational Protg Conference Builds protocols for

FacsXpert July 8 , 2 0 0 4 7 th I nternational Protg Conference Builds protocols for

FacsXpert July 8 , 2 0 0 4 7 th I nternational Protg Conference Builds protocols for studies w ith FACS instrum ents Uses a m odified Protg-based architecture that prom otes runtim e extensibility for the end-user FacsXpert

478 views • 35 slides
Beverley Straker-Bennett POCT Lead ADAS Blackpool Teaching Hospitals. Current Liquid

Beverley Straker-Bennett POCT Lead ADAS Blackpool Teaching Hospitals. Current Liquid

Beverley Straker-Bennett POCT Lead ADAS Blackpool Teaching Hospitals. Current Liquid Thromboplast Reagent discontinued by supplier Desire to improve the quality and reproducibility of the INR results by reducing the complexity the

432 views • 14 slides
Improved Differential Attacks for ECHO and Grstl (extended version available on eprint) Thomas

Improved Differential Attacks for ECHO and Grstl (extended version available on eprint) Thomas

Introduction Results ECHO Grstl Improved Differential Attacks for ECHO and Grstl (extended version available on eprint) Thomas Peyrin CRYPTO 2010 Santa Barbara - November 19, 2010 Introduction Results ECHO Grstl Outline

382 views • 23 slides
Seminar HS2019 Distributed Systems Group (Prof. Mattern) Digitalization and the Rebound Effect

Seminar HS2019 Distributed Systems Group (Prof. Mattern) Digitalization and the Rebound Effect

Seminar HS2019 Distributed Systems Group (Prof. Mattern) Digitalization and the Rebound Effect Moti tivati tion n we e need eed t to halve e our emi emissions ea each dec ecade Image scource: (Rockstrm et al. 2017): A roadmap

737 views • 25 slides
Com m ents on General Equilibrium Rebound from Energy Efficiency Policies by Derek Lem oine

Com m ents on General Equilibrium Rebound from Energy Efficiency Policies by Derek Lem oine

Com m ents on General Equilibrium Rebound from Energy Efficiency Policies by Derek Lem oine Stefan Ambec Ecole dEconomie de Toulouse (INRA-LERNA-IDEI) Auteur Main Point Impact of energy policy (tax): Engineering approach:

174 views • 4 slides
Evaluating and Treating DNAPL in Fractured Rock Charles Schaefer, Ph.D. David Lippincott

Evaluating and Treating DNAPL in Fractured Rock Charles Schaefer, Ph.D. David Lippincott

Evaluating and Treating DNAPL in Fractured Rock Charles Schaefer, Ph.D. David Lippincott APTIM Rachael Rezez APTIM Graig Lavorgna - APTIM Dr. Michael Annable UFL Erin White UFL DNAPL Architecture, Dissolution, and Treatment

460 views • 25 slides
Collision Attack on 5 Rounds of Grstl Martin Schl Florian Mendel Vincent Rijmen affer The

Collision Attack on 5 Rounds of Grstl Martin Schl Florian Mendel Vincent Rijmen affer The

Collision Attack on 5 Rounds of Grstl Martin Schl Florian Mendel Vincent Rijmen affer The Grstl Hash Function The Grstl Hash Function m 1 m 2 m t f f f IV hash n 2 n 2 n 2 n SHA-3 finalist designed by Knudsen et al.

865 views • 53 slides

More recommend